b'DOE/IG-0483\n\n\n\n\n         AUDIT                  IMPLEMENTATION OF PRESIDENTIAL\n                                 DECISION DIRECTIVE 63, CRITICAL\n        REPORT                    INFRASTRUCTURE PROTECTION\n\n\n\n\n                                               SEPTEMBER 2000\n\n\n\n\n   U.S. DEPARTMENT OF ENERGY\n  OFFICE OF INSPECTOR GENERAL\n    OFFICE OF AUDIT SERVICES\n\x0c                                        September 22, 2000\n\n\n\nMEMORANDUM FOR THE SECRETARY\n\nFROM:                  Gregory H. Friedman (Signed)\n                       Inspector General\n\nSUBJECT:               INFORMATION: Audit Report on the Department\'s "Implementation of\n                       Presidential Decision Directive 63, Critical Infrastructure Protection"\n\nBACKGROUND\n\nIn 1997, a Presidential Commission on Critical Infrastructure Protection concluded that the\nnational critical infrastructures \xe2\x80\x93 energy, banking, transportation, vital human services, and\ntelecommunications \xe2\x80\x93 were vulnerable to attack through the malicious use of commonly available\ntools. On May 22, 1998, as a result of the Commission\'s findings, the President issued\nPresidential Decision Directive 63 (PDD 63), Critical Infrastructure Protection. PDD 63\nrequired Federal agencies to take action to eliminate significant vulnerabilities, especially\ncyber-related, and to assure the continuity and viability of the nation\'s critical infrastructures.\n\nUnder PDD 63 the Department of Energy (Department) is required to develop and implement a\nnumber of infrastructure protective measures. Specifically, the Department was required to:\n\n       \xe2\x80\xa2   Develop and implement an internal plan for protecting its critical infrastructure assets\n           by May 22, 2000; and,\n\n       \xe2\x80\xa2   Coordinate external energy sector infrastructure protection activities by aiding private\n           sector electric power and petroleum entities in assessing their vulnerabilities to cyber\n           and physical attack, recommending plans to eliminate vulnerabilities, and proposing a\n           system for identifying and preventing attacks.\n\nThe objective of our audit was to determine whether the Department\'s implementation of\nPDD 63, Critical Infrastructure Protection, was achieving its intended purpose.\n\nRESULTS OF AUDIT\n\nThe audit disclosed that the Department had not implemented its critical infrastructure protection\nplan to mitigate significant vulnerabilities, or assure the continuity and viability of its critical\ninfrastructures. While external energy sector infrastructure protection activities were progressing\nand a number of internal and collateral actions had been completed, actions had not progressed to\n\x0c                                               -2-\n\n\nthe point where the objectives of PDD 63 were being accomplished. For example:\n\n       \xe2\x80\xa2   Planning and assessment activities required by PDD 63, such as critical asset\n           identification, vulnerability assessments, and corrective action plans remained\n           incomplete; and,\n\n       \xe2\x80\xa2   PDD 63 implementation efforts had not been given sufficient management attention\n           or priority. Implementation efforts were hampered by a lack of specific\n           Departmental plans, performance measures, and goals.\n\nThe Department\'s progress to date in fully implementing and executing PDD 63 increases the\nrisk of malicious damage to its cyber-related critical infrastructure that could adversely impact\nthe Department\'s ability to protect critical assets and deliver essential services. National goals\nfor achieving an initial protection capability by the end of 2000 and a fully functional\ninfrastructure protection program by 2003 may also be adversely impacted.\n\nMANAGEMENT REACTION\n\nWe recommended a series of actions to help ensure that future efforts to protect the\nDepartment\'s critical infrastructures are successful. Management concurred with the finding\nand recommendations.\n\nAttachment\n\ncc: Deputy Secretary\n    Under Secretary for Energy, Science and Environment\n    Under Secretary for Nuclear Security/Administrator for Nuclear Security\n    Chief Information Officer\n    Director, Office of Security and Emergency Operations\n\x0cImplementation of Presidential Decision Directive 63, Critical\nInfrastructure Protection\n\nTABLE OF\nCONTENTS\n\n\n\n                    Overview\n\n                    Introduction and Objective ..........................................................1\n\n                    Conclusions and Observations............................................\xe2\x80\xa6....2\n\n\n                    Implementation of Presidential Decision Directive 63, Critical\n                    Infrastructure Protection\n\n                    Details of Finding.......................................................................3\n\n                    Recommendations and Comments ...........................................8\n\n\n                    Appendices\n\n                    1. Examples of Potential Cyber-based Critical\n                       Infrastructure Assets .............................................................9\n\n                    2. Scope and Methodology ............... ...............................\xe2\x80\xa6...10\n\n                    3. Prior Reports\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa611\n\n                    4. Management Comments\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa612\n\x0cOverview\n\nINTRODUCTION AND   In 1997, a Presidential Commission on Critical Infrastructure Protection\nOBJECTIVE          concluded that the national critical infrastructures \xe2\x80\x93 energy, banking,\n                   transportation, vital human services, and telecommunications \xe2\x80\x93 must be\n                   viewed in a new context in the information age. The linkages resulting\n                   from the integration of telecommunications and computer systems have\n                   created a new dimension of vulnerability that poses an unprecedented\n                   national risk. Our infrastructures can now be attacked and damaged\n                   through the malicious use of commonly available tools.\n\n                   As a result of the Commission\'s findings, the President issued\n                   Presidential Decision Directive 63 (PDD 63), Critical Infrastructure\n                   Protection, on May 22, 1998. PDD 63 required Federal agencies to\n                   take action to eliminate significant vulnerabilities, especially cyber-\n                   related, and to assure the continuity and viability of the nation\'s critical\n                   infrastructures. The President also set two national infrastructure\n                   protection goals. First, an initial operating capability for infrastructure\n                   protection is to be achieved by the end of 2000. Second, by May 2003,\n                   the United States is to have established the ability to protect its critical\n                   infrastructures from intentional acts that could diminish the abilities of:\n\n                       \xe2\x80\xa2   The Federal government to perform essential national security\n                           missions and ensure the general public health and safety;\n\n                       \xe2\x80\xa2   State and local governments to maintain order and to deliver\n                           minimum essential public services; and\n\n                       \xe2\x80\xa2   The private sector to ensure the orderly functioning of the\n                           economy and delivery of essential telecommunications, energy,\n                           financial, and transportation services.\n\n                   PDD 63 required the Department of Energy (Department) to develop\n                   and implement internal and external protective measures. Internally,\n                   the Department was required to develop and implement a plan for\n                   protecting its critical infrastructure assets, including appointment of\n                   responsible officials, by May 22, 2000. Externally, the Department was\n                   required to coordinate energy sector infrastructure protection activities\n                   by serving as the Federal government\'s liaison with private industry on\n                   issues related to protecting electric power and petroleum production and\n                   storage assets. Specifically, the Department was required to aid private\n                   sector entities in assessing their vulnerabilities to cyber and physical\n                   attack, to recommend plans to eliminate vulnerabilities, and to propose\n                   a system for identifying and preventing attacks.\n\n\n\nPage 1                                                           Introduction and Objective\n\x0c                 The objective of our audit was to determine whether the Department\'s\n                 implementation of PDD 63, Critical Infrastructure Protection, was\n                 achieving its intended purpose.\n\n\nCONCLUSION AND   While external energy sector infrastructure protection activities were\nOBSERVATIONS     progressing and a number of internal and collateral actions had been\n                 completed, the Department had not implemented its critical\n                 infrastructure protection plan to mitigate significant vulnerabilities, or\n                 assure the continuity and viability of its critical infrastructures.\n                 Therefore, the Department could not achieve the purpose of PDD 63.\n                 Planning and assessment activities required by PDD 63, such as critical\n                 asset identification, vulnerability assessments, and corrective action\n                 plans remained incomplete. Required actions were not completed\n                 because the Department had not given PDD 63 implementation efforts\n                 sufficient management attention or priority. For instance, a lack of\n                 specific plans, performance measures, and goals negatively impacted\n                 implementation efforts. The Department\'s lack of progress in\n                 implementing PDD 63 increases the risk of malicious damage to its\n                 cyber-related critical infrastructure that could adversely impact the\n                 Department\'s ability to protect critical assets and deliver essential\n                 services. National goals for achieving an initial protection capability by\n                 the end of 2000 and a fully functional infrastructure protection program\n                 by 2003 may also be adversely impacted.\n\n                 In our opinion, the audit identified issues that management should\n                 consider when preparing its year-end assurance memorandum on\n                 management controls.\n\n\n\n                                                       ______Signed___________\n                                                       Office of Inspector General\n\n\n\n\nPage 2                                                                  Conclusions and\n                                                                          Observations\n\x0cInfrastructure Protection\n\nCritical Infrastructure   The Department had not implemented its Critical Infrastructure\nProtection Efforts Not    Protection Plan (CIPP) to mitigate significant vulnerabilities or assure\nComplete                  the continuity and viability of its critical infrastructures. Specifically,\n                          the Department\'s plan had not been amended to correct deficiencies in\n                          the areas of threat analysis and emergency planning disclosed by an\n                          external expert review. Also, the Department had not completed\n                          internal infrastructure protection assessment activities such as critical\n                          asset identification, vulnerability assessments, or the preparation of\n                          corrective action plans and did not meet established milestones. Even\n                          though the Department had not achieved the intended purpose of\n                          PDD 63, it had made progress in completing certain preliminary\n                          actions, external coordination activities, and several collateral efforts.\n\n                                            Critical Infrastructure Protection Plan\n\n                          While a significant amount of effort was initially devoted to the\n                          preparation of its overall CIPP, the Department had not completed\n                          action to correct plan deficiencies reported by an expert review team.\n                          The initial plan described the Department\'s overall methodology for\n                          identifying critical assets and performing vulnerability assessments.\n                          The plan also established milestones for completing these tasks.\n                          However, a subsequent expert review of the plan found that it lacked\n                          detail in several areas. The review team indicated that the plan did not\n                          include sufficient detail in the threat analysis and emergency planning\n                          areas. Despite guidance by the review team, the Department did not\n                          take action to revise its CIPP to address the team\'s findings. According\n                          to an official with the National Critical Infrastructure Assurance Office\n                          (CIAO), the Department was one of only three Federal agencies that\n                          had not submitted a revised CIPP incorporating the expert review\n                          team\'s comments.\n\n                                Critical Infrastructure Assessment Activities and Milestones\n\n                          The Department also had not completed the critical asset identification\n                          process essential for successful implementation of PDD 63. Although\n                          the Department\'s CIPP required that the process be completed and a\n                          report submitted to the Under Secretary by March 1999, little progress\n                          had been made. The Department had not completed the process of\n                          evaluating infrastructure assets based on their ability to impact national\n                          security, public safety and health, national economic security, or the\n                          ability to satisfy internal management and administrative functions.\n                          Lack of progress in this area prompted the National CIAO to offer the\n                          Department assistance with the identification process. While the\n\n\n\nPage 3                                                                           Details of Findings\n\x0c         Department had agreed to accept the offer, no target completion dates\n         or performance goals for the task had been established.\n\n         The Department did not achieve established milestones for completing\n         vulnerability assessments or developing corrective action plans. As\n         with critical asset identification, these activities were specifically\n         required by the Department\'s implementation plan and are essential for\n         successful implementation of PDD 63. For instance, the results of\n         specific vulnerability assessments, based on a Departmental threat\n         statement, should have been provided to the Under Secretary in\n         February 2000. Also, summaries of all corrective action plans\n         developed to mitigate identified vulnerabilities should have been\n         provided to the Under Secretary by March 2000.\n\n                                   Department\'s Progress\n\n         While the Department had not been successful in satisfying internal\n         planning and implementation requirements, it had completed a number\n         of preliminary activities. During early stages of its implementation\n         efforts, for instance, the Department established a critical infrastructure\n         protection task force to begin the process of developing a means of\n         protecting its own assets. In addition, it assigned the Chief Information\n         Officer responsibility for information assurance and the Chief\n         Infrastructure Assurance Officer responsibility for protecting physical\n         assets. Overall programmatic responsibility for PDD 63\n         implementation was also consolidated under the Office of Security and\n         Emergency Operations.\n\n         The Department had made progress in fulfilling its responsibilities for\n         coordinating energy sector infrastructure protection activities. Overall,\n         activities associated with protecting critical private sector utility and\n         petroleum industry assets were progressing. The Office of Critical\n         Infrastructure Protection (OCIP), under the Office of Security and\n         Emergency Operations, is working with private sector entities on issues\n         related to protecting critical industry assets. Since its creation, the\n         OCIP submitted detailed budget requests and developed comprehensive\n         action plans for identifying and mitigating private sector vulnerabilities.\n         Additionally, OCIP is tracking the progress of discrete tasks, such as\n         vulnerability assessments, and appears to be making progress toward\n         achieving established milestones.\n\n         The Department was involved with or had completed several collateral\n         initiatives that should facilitate but not replace PDD 63 implementation.\n         The Department focused on these exigent issues and delayed\n\nPage 4                                                          Details of Finding\n\x0c                 implementation efforts accordingly. Specifically, the Department had\n                 been immersed in a complex-wide effort to improve cyber security.\n                 This effort began in late 1999 and was steadily progressing. The Year\n                 2000 Computer Remediation effort, with the attendant identification of\n                 mission essential or critical information systems, was also recently\n                 completed. Based on the success of the Year 2000 effort, the\n                 Department was able to make the new year rollover without major\n                 difficulty.\n\n                 While the Department\'s on-going initiative to improve cyber security\n                 had achieved a number of successes, that program, standing alone, is\n                 insufficient to satisfy the mandate of PDD 63. As we pointed out in our\n                 recent report on Audit of Unclassified Computer Network Security at\n                 Selected Field Sites (DOE/IG-0459, February 2000), the Department\n                 had begun an effort to mitigate long-standing network vulnerabilities\n                 and improve the overall cyber security climate. Such actions, while\n                 noteworthy, should be viewed as a foundation rather than as a substitute\n                 for the comprehensive vulnerability assessment process envisioned by\n                 PDD 63. For instance, vulnerability tests conducted in connection with\n                 the cyber security initiative were limited in scope, and may not satisfy\n                 PDD 63 requirements to evaluate the interdependencies between\n                 Departmental systems as well as external infrastructures such as\n                 telecommunications, power, and transportation.\n\n                 The Department also had not taken advantage of the systems listing\n                 prepared in support of the Year 2000 remediation program to reduce the\n                 PDD 63 implementation burden. Although this listing of critical\n                 information systems cannot be substituted for the specific asset\n                 identification process required by PDD 63, the Department may be able\n                 to leverage such information to facilitate implementation efforts. For\n                 instance, based on our preliminary analysis, we identified some\n                 noteworthy examples of systems that the Department should consider as\n                 critical infrastructure assets (see Appendix 1 of this report). Such\n                 Departmental systems, if compromised, could negatively impact\n                 national security, public safety and health, economic security, or the\n                 Department\'s ability to satisfy internal administrative and management\n                 functions.\n\n\nImplementation   To accomplish its stated purpose, PDD 63 identified a series of specific\nRequirements     actions Federal agencies were required to perform. For example, the\n                 Department was required to develop and fully implement a plan for\n                 protecting its critical computer ("cyber-based") and physical assets by\n\n\n\nPage 5                                                                Details of Finding\n\x0c                             May 22, 2000. Federal agencies were also required to subject their\n                             infrastructure protection plans to an expert review process sponsored by\n                             the National Critical Infrastructure Coordination Group. An important\n                             intention of PDD 63 was for Federal agencies to provide the private\n                             sector with a model on how to best protect national critical\n                             infrastructure assets.\n\n                             In addition to satisfying internal infrastructure protection requirements,\n                             the Department was also charged with the responsibility for\n                             coordinating energy sector activities. Specifically, the Department was\n                             assigned the responsibility for serving as the Federal government\'s\n                             liaison to private industry on issues related to protecting electric power\n                             and petroleum production and storage assets. This responsibility\n                             required the Department to aid private sector entities in assessing their\n                             vulnerabilities to cyber and physical attack, to recommend plans to\n                             eliminate vulnerabilities, and to propose a system for identifying and\n                             preventing attacks.\n\n\nInternal Implementation      While the Department had embarked on a major effort designed to\nEfforts Have Not Been        improve cyber security and sustainability of cyber-related critical\nGiven Sufficient Attention   infrastructures, it had not given sufficient attention or priority to PDD\nor Priority                  63 implementation. Specific performance measures or goals had not\n                             been established, detailed funding plans had not been prepared and\n                             resources needed for implementation had not been identified.\n                             Competing priorities and organization changes also detracted from\n                             implementation efforts.\n\n                                             Lack of Performance Measures or Goals\n\n                             The Department did not develop specific performance measures or\n                             goals, as required by the Government Performance and Results Act, to\n                             guide PDD 63 implementation efforts. For instance, our analysis of the\n                             Department\'s Fiscal Year (FY) 1999 Performance Agreement disclosed\n                             that infrastructure protection activities were assigned to the Office of\n                             Nonproliferation and National Security even though the CIPP divided\n                             critical asset protection responsibilities between the Department\'s Chief\n                             Information Officer and the Chief Infrastructure Assurance Officer.\n                             Additionally, the Department\'s FY 2000 and FY 2001 Performance\n                             Plans did not contain specific measures or goals for completing critical\n                             infrastructure protection activities.\n\n\n\n\nPage 6                                                                              Details of Finding\n\x0c                                                Funding and Resource Plans\n\n                          Detailed resource and funding plans identifying all critical\n                          infrastructure protection tasks also had not been prepared. While the\n                          Department formulated detailed tasks for assisting external entities with\n                          critical infrastructure protection activities, internal implementation\n                          plans had not been developed. Resource plans identifying requirements\n                          such as personnel, facilities and training necessary for implementation\n                          had not been prepared. The Department\'s budget requests for FY\'s\n                          1999, 2000, and 2001 also did not seek specific funding for internal\n                          critical infrastructure protection efforts. Furthermore, budget\n                          submissions for cyber security for those same years did not specifically\n                          identify funding for completing internal infrastructure protection tasks\n                          such as critical asset identification, vulnerability assessments, or\n                          corrective action plans. In contrast, the Department budgeted\n                          $2.1 million and $13 million for FY\'s 2000 and 2001, respectively, for\n                          external critical infrastructure protection efforts.\n\n                                                    Organizational Focus\n\n                          Organizational challenges impacted the Department\'s critical\n                          infrastructure protection efforts. The Office of the Chief Information\n                          Officer indicated that the Department had elected to focus on exigent\n                          problems in the cyber security area rather than on completing PDD 63\n                          planning and assessment activities. Other officials from the Office of\n                          Security and Emergency Operations also indicated that PDD 63\n                          implementation efforts had been delayed due to competing priorities\n                          such as Year 2000 remediation efforts and reorganizations within the\n                          Department.\n\n\nImplementation            The Department\'s lack of progress in implementing PDD 63 increases\nShortcomings Could        the risk of malicious damage to its cyber-related critical infrastructure\nImpact Departmental and   that could adversely impact the Department\'s ability to protect critical\nNational Systems          assets and deliver essential services. Without the benefit of critical\n                          asset identification, vulnerability assessments, and corrective actions,\n                          the Department may not be able to swiftly eliminate any significant\n                          vulnerability to cyber attacks or ensure that any interruption or\n                          manipulation of cyber assets will be brief, infrequent, manageable, and\n                          minimally detrimental. Such protection efforts are necessary not only\n                          to ensure the Department\'s ability to perform national missions, deliver\n                          essential services, and ensure public safety and health but also for\n                          achievement of principal PDD 63 objectives.\n\n\nPage 7                                                                        Details of Finding\n\x0c                       Furthermore, the Department\'s overall lack of progress in\n                       implementing its CIPP may impact national goals. Without\n                       Departmental improvements, the national goals of realizing an initial\n                       infrastructure protection capability by the end of year 2000, and\n                       developing a fully functional critical infrastructure protection\n                       program by year 2003 may not be achieved. Additionally, other\n                       Federal agencies that rely on the Department for services or\n                       information may be unable to complete their critical infrastructure\n                       protection efforts until the Department\'s implementation efforts are\n                       complete. For example, the Department of Defense and the Nuclear\n                       Regulatory Commission rely on a Departmental nuclear material\n                       accountability system and may be adversely affected by the\n                       Department\'s lack of progress.\n\n\nRECOMMENDATIONS        We recommend that the Director, Office of Security and Emergency\n                       Operations take the following actions to facilitate PDD 63\n                       implementation:\n\n                            1. Revise the Department\'s CIPP to include expert review\n                               team comments and new implementation milestones;\n\n                            2. Prepare a detailed, comprehensive resource plan for all\n                               critical infrastructure protection efforts;\n\n                            3. Reallocate budgetary resources and/or seek additional\n                               funds to satisfy critical infrastructure protection\n                               requirements; and\n\n                            4. Establish specific critical infrastructure protection\n                               performance measures, based on revised CIPP milestones,\n                               and include them in the Department\'s annual performance\n                               plans.\n\nMANAGEMENT REACTIONS   Management concurred with the finding and recommendations.\n                       (Management\'s comments are included in their entirety in\n                       Appendix 4).\n\n\nAUDITOR COMMENTS       Management\'s actions are responsive to our recommendations.\n\n\n\n\nPage 8                                                Recommendations and Comments\n\x0cAppendix 1\n\n\n                     EXAMPLES OF POTENTIAL CYBER-BASED\n                       CRITICAL INFRASTRUCTURE ASSETS\n\n\n\n\n Focus Area           System Name                                 Responsible Organization\n National Security    Nuclear Materials Management and            Security and Emergency\n                      Safeguards System                            Operations\n                      Nuclear Material Inventory System           Defense Programs\n                      at Los Alamos\n                      SECOM Tracking System                       Defense Programs\n Safety and Health    Defense Waste Processing Facility           Environmental Management\n                       Process Control Systems at Savannah\n                       River\n                      Tank Monitoring and Control                 Environmental Management\n                       System at Hanford\n Economy              Supervisory Control and Data                Bonneville Power\n                       Acquisition System                          Administration\n                      Supervisory Control and Data                Western Area Power\n                       Acquisition Energy Management               Administration\n                       System\n Agency Operations    Corporate Human Resource                    Management and Administration\n                       Information System\n                      Departmental Integrated Standardized Core   Chief Financial Officer\n                      Accounting System\n\n\n\n\nPage 9                                                                Critical Infrastructure Assets\n\x0cAppendix 2\n\nSCOPE         The audit was performed between January and July 2000 at Department\n              Headquarters in Washington, DC. We conducted our audit, in part, to\n              support a President\'s Council on Integrity and Efficiency initiative to\n              review Federal government-wide PDD 63 implementation efforts. The\n              scope of the audit work was primarily limited to reviewing plans and\n              specific actions taken by the Department to identify and protect cyber-\n              based critical infrastructure assets for compliance with PDD 63.\n\n\nMETHODOLOGY   To satisfy the audit objective, we:\n\n                    \xe2\x80\xa2   Reviewed applicable directives and guidance, such as\n                        Presidential Decision Directive 63, Critical Infrastructure\n                        Protection, dated May 22, 1998, and the Government\n                        Performance and Results Act of 1993.\n\n                    \xe2\x80\xa2   Analyzed the Department\'s November 18, 1998, Critical\n                        Infrastructure Protection Plan.\n\n                    \xe2\x80\xa2   Analyzed Departmental budget requests and performance\n                        plans for information related to critical infrastructure\n                        protection efforts.\n\n                    \xe2\x80\xa2   Reviewed the conclusions reached by an independent expert\n                        review team from the National Critical Infrastructure\n                        Assurance Office.\n\n                    \xe2\x80\xa2   Held discussions with management officials from the Offices\n                        of Security and Emergency Operations, Chief Information\n                        Officer, Critical Infrastructure Protection, and the National\n                        Critical Infrastructure Assurance Office.\n\n              The audit was conducted in accordance with generally accepted\n              Government auditing standards for performance audits and included\n              tests of internal controls and compliance with laws and regulations to\n              the extent necessary to satisfy the audit objective. Because our review\n              was limited, it would not necessarily have disclosed all internal control\n              deficiencies that may have existed. Also, we did not rely on computer-\n              processed data to accomplish our audit objective. An exit conference\n              was held with the Office of Security and Emergency Operations on\n              July 6, 2000.\n\n\n\n\nPage 10                                                     Scope and Methodology\n\x0cAppendix 3\n\n                            RELATED OFFICE OF INSPECTOR GENERAL AND\n                              GENERAL ACCOUNTING OFFICE REPORTS\n\n\n\xe2\x80\xa2   Audit of Departmental Integrated Standardized Core Accounting System (DISCAS) Operations at\n    Selected Field Sites, (AP-FS-97-02, June 1997). The report pointed out that some weaknesses existed in\n    the general and application controls for DISCAS that could adversely affect the reliability of data\n    processed through the system.\n\n\xe2\x80\xa2   Audit of the ADP General Controls at Idaho National Engineering and Environmental Laboratory\n    (CR-FS-L-98-01, February 1998). The report stated that, although general controls had been\n    established for ensuring that application controls could not be rendered ineffective by circumvention or\n    modification, further enhancements were needed to ensure proper security over sensitive computer\n    systems and data.\n\n\xe2\x80\xa2   Audit of the ADP General Controls at Oak Ridge Complex, (CR-FS-L-98-02, February 1998). The\n    report stated that, although general controls had been established for ensuring that application controls\n    could not be rendered ineffective by circumvention or modification, further enhancements were needed\n    to ensure proper security over computer systems and data.\n\n\xe2\x80\xa2    Report on Critical Infrastructure Protection \xe2\x80\x93 Comprehensive Strategy Can Draw on Year 2000\n    Experiences, United States General Accounting Office (GAO), (GAO/AIMD-00-1, October 1999). The\n    report stated that our nation\'s computer based critical infrastructures are at increasing risk of severe\n    disruption. The report pointed out that, in the Federal government, these risks are not being adequately\n    addressed, and that tests and evaluations show that Federal systems are not being effectively protected,\n    even though these systems process, store, and transmit enormous amounts of sensitive data and are\n    indispensable to agency operations. GAO concluded that it is important that the Federal government\n    take advantage of experience gained in addressing the Year 2000 challenge as it strives to reduce the\n    risk associated with longer term threats to critical infrastructures.\n\n\xe2\x80\xa2   Audit of Unclassified Computer Network Security at Selected Field Sites, (DOE/IG-0459, February\n    2000). The report disclosed that six Departmental sites had significant internal or external weaknesses\n    that increased the risk that their unclassified computer networks could be damaged by malicious attack.\n    The OIG pointed out the need for correcting vulnerabilities found and establishing specific goals and\n    performance measures for improving the level of unclassified computer security relating to network\n    operations.\n\n\xe2\x80\xa2   Information Security: Vulnerabilities in DOE\'s Systems for Unclassified Civilian Research, United\n    States General Accounting Office (GAO), (GAO/AIMD-00-140, June 2000). The report stated that\n    unclassified information systems for scientific research are not consistently protected at all DOE\n    laboratories. GAO recommended that the Secretary take immediate steps to strengthen information\n    technology security management at DOE laboratories.\n\n\n\nPage 11                                                                                        Prior Reports\n\x0cAppendix 4\n\n\n\n\nPage 12      Management Comments\n\x0cPage 13   Management Comments\n\x0cPage 14   Management Comments\n\x0cPage 15   Management Comments\n\x0cPage 16   Management Comments\n\x0c                                                                             IG Report No. : DOE/IG-0483\n\n                                    CUSTOMER RESPONSE FORM\n\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of its products. We\nwish to make our reports as responsive as possible to our customers\' requirements, and, therefore, ask that\nyou consider sharing your thoughts with us. On the back of this form, you may suggest improvements to\nenhance the effectiveness of future reports. Please include answers to the following questions if they are\napplicable to you:\n\n1. What additional background information about the selection, scheduling, scope, or procedures of the\n   audit would have been helpful to the reader in understanding this report?\n\n2. What additional information related to findings and recommendations could have been included in this\n   report to assist management in implementing corrective actions?\n\n3. What format, stylistic, or organizational changes might have made this report\'s overall message more\n   clear to the reader?\n\n4. What additional actions could the Office of Inspector General have taken on the issues discussed in this\n   report which would have been helpful?\n\nPlease include your name and telephone number so that we may contact you should we have any questions\nabout your comments.\n\nName _____________________________             Date __________________________\n\nTelephone _________________________            Organization ____________________\n\nWhen you have completed this form, you may telefax it to the Office of Inspector General at (202) 586-\n0948, or you may mail it to:\n\n                                     Office of Inspector General (IG-1)\n                                           Department of Energy\n                                          Washington, DC 20585\n\n                                        ATTN: Customer Relations\n\nIf you wish to discuss this report or your comments with a staff member of the Office of Inspector General,\nplease contact Wilma Slaughter at (202) 586-1924.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly and cost\n  effective as possible. Therefore, this report will be available electronically through the Internet at the\n                                       following alternative address:\n\n\n                      Department of EnergyOffice of Inspector General, Home Page\n                                        http://www.ig.doe.gov\n\n\n                    Your comments would be appreciated and can be provided on the\n                           Customer Response Form attached to the report.\n\x0c'